DDos: Практическое руководство к выживанию

  • View
    159

  • Download
    5

Embed Size (px)

DESCRIPTION

Protection against ddos attacks

Text of DDos: Практическое руководство к выживанию

  • 1. DDoS: .

2. 2: . 3. Q1 2012 : 365 . : 12 : 2637 . : 37834 4. 15.89%14.52%17.26%14.25%16.71%9.59%11.78%0.00%2.00%4.00%6.00%8.00%10.00%12.00%14.00%16.00%18.00%20.00% e 5. 01234567891011121/1/12 1/8/12 1/15/12 1/22/12 1/29/12 2/5/12 2/12/12 2/19/12 2/26/12 3/4/12 3/11/12 3/18/12 3/25/12 6. 41.37%32.88%25.75% 7. 3.56%96.44%> 1Gbps < 1Gbps 8. 22.74%77.26%C 9. DNS: NIC, Masterhost, FastVPS. : , WAhome. . Minerbot. 10. 1k - 100-160 USD. . - 20 USD/. 11. 12. Apache mod_evasive 13. Apache mod_evasiveDOSHashTableSize 3097DOSPageCount 8DOSSiteCount 100DOSPageInterval 2DOSSiteInterval 2DOSBlockingPeriod 600DOSEmailNotify secure@adminmail.com 14. Apache mod_evasive Apache 15. Iptables --string 16. Iptables --stringiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent --set --name httpddos --rsourceiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP 17. Iptables --string .. . () . (kmp ) + retransmit. conntrack. 18. NGINX testcookie_module 19. JS 20. Cookie/Redirect 21. NGINX testcookie_moduletestcookie_name BPC;testcookie_secret keepmescret;testcookie_session $remote_addr;testcookie_arg attempt;testcookie_max_attempts 3;testcookie_fallback /cookies.html?backurl=http://$host$request_uri;testcookie_get_only on;location / {testcookie on;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_pass http://127.0.0.1:8080;}: http://habrahabr.ru/post/139931/ 22. NGINX testcookie_module .NGINX.... .* UX. FBS.* . 23. PyBrain 24. PyBrain:0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0(Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0C:[__UA___OS_U, __UA_EMPTY, __REQ___METHOD_POST, __REQ___HTTP_VER_HTTP/1.0, __REQ___URL___NETLOC_, __REQ___URL___PATH_/forum/rss.php, __REQ___URL___PATH_/forum/index.php, __REQ___URL___SCHEME_, __REQ___HTTP_VER_HTTP/1.1, __UA___VER_Firefox/3.0, __REFER___NETLOC_www.mozilla-europe.org, __UA___OS_Windows, __UA___BASE_Mozilla/5.0, __CODE_503, __UA___OS_pl, __REFER___PATH_/, __REFER___SCHEME_http, __NO_REFER__, __REQ___METHOD_GET, __UA___OS_Windows NT5.1, __UA___OS_rv:1.9, __REQ___URL___QS_topic, __UA___VER_Gecko/2008052906: http://habrahabr.ru/post/136237/ 25. PyBrain . . . . 26. tcpdump 27. tcpdumptcpdump -v -n -w attack.log dst port 80 -c 250tcpdump -nr attack.log |awk {print $3} |grep -oE [0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,} |sort |uniq -c |sort -rn 28. tcpdump . tcpdump? 29. . . . > _. 30. FALSE POSITIVES. . . 31. NGINX testcookie_module 32. One last thing3.56%96.44%> 1Gbps < 1Gbps22.74%77.26%C 33. ? 34. .1. nginx/ipset .2. conntrack.3. ip 4. .